Detective Control

From The Secure Arc Wiki

Detective Controls are all about monitoring. This can include IDS and IPS tools, such as snort or a configuration management system that will monitor key configuration files for unauthorized changes. The key thing to understand about Detective Controls is that they are re-active. By the time they identify an attack it may already be too late.

When identifying a Vulnerability, part of the Countermeasures assessment should be to determine whether automated monitoring could be configured to detect an attack on that vulnerability. This may be in the form of network monitoring for a specific signature or a custom application recording an audit event that is itself monitored.

These detective controls may simply provide statistics on what did and did not happen and when, or they may also actively initiate some kind of Corrective or Preventative Control to limit the impact of the exploit.

Triggered Preventative Controls may be in the form of shutting down a server if the underlying authorisation server has become unresponsive.

Triggered Corrective Controls may be in the form of a firewall rule change blocking access from the source IP address of the attack. Many sites will block an IP address temporarily if a port scan is detected, which may be a sign that they are looking for vulnerabilities to exploit.

Up Next

The primary type of triggered control is a Corrective Control. If the monitoring system is able to detect an active attack and trigger a response, at best you can only limit the impact of that attack as it has already begun and may have already been at least partially successful.